1 files changed, 30 insertions, 8 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 856c8a287523..e03a7e19c73b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -86,6 +86,9 @@ LIST_HEAD(smack_rule_list);
 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
+const char *smack_cipso_option = SMACK_CIPSO_OPTION;
 #define SEQ_READ_FINISHED       1
 /*
@@ -565,6 +568,11 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
                goto unlockedout;
        }
+        /* labels cannot begin with a '-' */
+        if (data[0] == '-') {
+                rc = -EINVAL;
+                goto unlockedout;
+        }
        data[count] = '\0';
        rule = data;
        /*
@@ -808,9 +816,18 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
        if (m > BEBITS)
                return -EINVAL;
-        sp = smk_import(smack, 0);
+        /* if smack begins with '-', its an option, don't import it */
-        if (sp == NULL)
+        if (smack[0] != '-') {
-                return -EINVAL;
+                sp = smk_import(smack, 0);
+                if (sp == NULL)
+                        return -EINVAL;
+        } else {
+                /* check known options */
+                if (strcmp(smack, smack_cipso_option) == 0)
+                        sp = (char *)smack_cipso_option;
+                else
+                        return -EINVAL;
+        }
        for (temp_mask = 0; m > 0; m--) {
                temp_mask |= mask_bits;
@@ -849,18 +866,23 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
                        smk_netlbladdr_insert(skp);
                }
        } else {
-                rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
+                /* we delete the unlabeled entry, only if the previous label
-                        &skp->smk_host.sin_addr, &skp->smk_mask,
+                 * wasnt the special CIPSO option */
-                        PF_INET, &audit_info);
+                if (skp->smk_label != smack_cipso_option)
+                        rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
+                                        &skp->smk_host.sin_addr, &skp->smk_mask,
+                                        PF_INET, &audit_info);
+                else
+                        rc = 0;
                skp->smk_label = sp;
        }
        /*
         * Now tell netlabel about the single label nature of
         * this host so that incoming packets get labeled.
+         * but only if we didn't get the special CIPSO option
         */
+        if (rc == 0 && sp != smack_cipso_option)
-        if (rc == 0)
                rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
                        &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
                        smack_to_secid(skp->smk_label), &audit_info);

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 856c8a287523..e03a7e19c73b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c
@@ -86,6 +86,9 @@ LIST_HEAD(smack_rule_list);
86		86
87	static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;	87	static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
88		88
		89	const char *smack_cipso_option = SMACK_CIPSO_OPTION;
		90
		91
89	#define SEQ_READ_FINISHED 1	92	#define SEQ_READ_FINISHED 1
90		93
91	/*	94	/*
@@ -565,6 +568,11 @@ static ssize_t smk_write_cipso(struct file file, const char __user buf,
565	goto unlockedout;	568	goto unlockedout;
566	}	569	}
567		570
		571	/* labels cannot begin with a '-' */
		572	if (data[0] == '-') {
		573	rc = -EINVAL;
		574	goto unlockedout;
		575	}
568	data[count] = '\0';	576	data[count] = '\0';
569	rule = data;	577	rule = data;
570	/*	578	/*
@@ -808,9 +816,18 @@ static ssize_t smk_write_netlbladdr(struct file file, const char __user buf,
808	if (m > BEBITS)	816	if (m > BEBITS)
809	return -EINVAL;	817	return -EINVAL;
810		818
811	sp = smk_import(smack, 0);	819	/* if smack begins with '-', its an option, don't import it */
812	if (sp == NULL)	820	if (smack[0] != '-') {
813	return -EINVAL;	821	sp = smk_import(smack, 0);
		822	if (sp == NULL)
		823	return -EINVAL;
		824	} else {
		825	/* check known options */
		826	if (strcmp(smack, smack_cipso_option) == 0)
		827	sp = (char *)smack_cipso_option;
		828	else
		829	return -EINVAL;
		830	}
814		831
815	for (temp_mask = 0; m > 0; m--) {	832	for (temp_mask = 0; m > 0; m--) {
816	temp_mask \|= mask_bits;	833	temp_mask \|= mask_bits;
@@ -849,18 +866,23 @@ static ssize_t smk_write_netlbladdr(struct file file, const char __user buf,
849	smk_netlbladdr_insert(skp);	866	smk_netlbladdr_insert(skp);
850	}	867	}
851	} else {	868	} else {
852	rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,	869	/* we delete the unlabeled entry, only if the previous label
853	&skp->smk_host.sin_addr, &skp->smk_mask,	870	* wasnt the special CIPSO option */
854	PF_INET, &audit_info);	871	if (skp->smk_label != smack_cipso_option)
		872	rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
		873	&skp->smk_host.sin_addr, &skp->smk_mask,
		874	PF_INET, &audit_info);
		875	else
		876	rc = 0;
855	skp->smk_label = sp;	877	skp->smk_label = sp;
856	}	878	}
857		879
858	/*	880	/*
859	* Now tell netlabel about the single label nature of	881	* Now tell netlabel about the single label nature of
860	* this host so that incoming packets get labeled.	882	* this host so that incoming packets get labeled.
		883	* but only if we didn't get the special CIPSO option
861	*/	884	*/
862		885	if (rc == 0 && sp != smack_cipso_option)
863	if (rc == 0)
864	rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,	886	rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
865	&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,	887	&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
866	smack_to_secid(skp->smk_label), &audit_info);	888	smack_to_secid(skp->smk_label), &audit_info);